Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Pop-up Video Ads Everywhere When Browsing!

Quantum Uncertain

Posted 03 February 2015 - 08:08 PM

Quantum Uncertain

New Member

Member

7 posts

Hello!

I seem to have accidentally accepted malware along with some freeware. Every page I browse brings multiple sidebar and toolbar ads. I have run an old copy of Malware Bytes but the infections remained. Some toolbars prevent me from deleting them from the Uninstal Programs menu. I am including my OTL log. I really appreciate your time. Thanks for taking a look!

OTL may miss a few tho so I want to run a couple of scans and FRST before I try to kill it.

Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.

Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site

Pause your anti-virus. Close all browsers.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

Press Scan button.

It will produce a log called FRST.txt in the same directory the tool is run from.

Please copy and paste log back here.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Application errors:
==================
Error: (02/03/2015 11:15:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 1.2.2015.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

CodeIntegrity Errors:
===================================
Date: 2014-09-11 07:04:26.378
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:04:26.344
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:04:26.294
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.084
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.055
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.022
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:58.005
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.974
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.943
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.896
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.

Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.

(If you also want the 64 bit version then use the 64 bit version of IE to get it.)

Uninstall Snap.Do Engine

Run FRST again, check the Additions box and then Scan. You will get two logs. Post them both.

That should get the last of it. Hopefully you are not seeing any mode popups or ads. Let's see if you have any damage:

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(This will check your critical system files. Does this finish without complaint? IF it says it couldn't fix everything then:

Quantum Uncertain

Posted 04 February 2015 - 01:00 PM

Quantum Uncertain

New Member

Topic Starter

Member

7 posts

Thanks again!

Ran into an issue. I followed each step as directed until I came to the removal of snap.do engine. I right click on it in the Uninstall Programs menu and click "Uninstall" but nothing happens. No uninstall is initiated. It's as if the program somehow blocks the uninstallation. I don't know if I made the right decision but I continued with the rest of the instructions. I am posting the logs. The Command Prompt scan ran unhindered. All other scans and logs went without a hitch.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Error: (02/03/2015 11:15:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 1.2.2015.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

CodeIntegrity Errors:
===================================
Date: 2014-09-11 07:04:26.378
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:04:26.344
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:04:26.294
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.084
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.055
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 07:02:13.022
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:58.005
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.974
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.943
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-11 00:58:57.896
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

RKinner

Posted 04 February 2015 - 11:12 PM

Don't worry about Snapdo. It and WinRar Packages have probably been removed by ADWCleaner or FRST so just the uninstaller stub remains. THere is no sign of them in your logs.

Looking at your error logs. There is a Fixit this one:

Log: 'Application' Date/Time: 04/02/2015 6:37:21 PMType: Error Category: 0Event: 10 Source: Microsoft-Windows-WMIEvent filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

is caused by Windows Live and will slow down your shutdown. Do you even use it? Most people don't. If you don't use it uninstall it. If you do, uninstall it (Windows Live Essentials) and then download a newer version.

Does Firefox seem to be working OK? Any more popups?

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

* System

4. Under 'Select type to list', select:

* Error

* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

You should get a log when it finishes. If not this may mean you have the new version of Zero Access malware so run Combofix a second time.

If you still don't get a log search for Combofix.txt. It is usually at => C:\Combofix\Combofix.txt. I'll need to see that in your reply.

If you get an error about a registry value when you try to run a program, then just reboot to clear it.

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Quantum Uncertain

Posted 10 February 2015 - 07:21 PM

Quantum Uncertain

New Member

Topic Starter

Member

7 posts

Unfortunately, no. I still get popup ads from "NoProblm," "similar Pro," "offers4u," and "rightcoupon," if the names of those ad companies help. Random ad videos play, key words are highlighted and underlined, linking to commercial pages on almost every site I go to. Every now and then, my browser opens up a new tab, displaying full page ads. You've helped clear a few issues for me. It's just these that are left. Thanks for your diligence I know that if it's frustrating for me, it's frustrating for you!

[list=1][*]Quit all running programs[*]ForVista/Seven, right click -> run as administrator,for XP simply run RogueKiller.exe[*]When prompted, type 1and validate[*]TheRKreport.txt shall be generated next to the executable.[*]If the program is blocked,donot hesitate to try several times.If it really does not work (it could happen), rename it to winlogon.exe [/list]Please post the contents of the RKreport.txt in your nextReply.

Also I see we don't have an anti-virus. Let's see if the free Avast will install.

Uncheck any additional software offers such as Google Toolbar, Chrome or Dropbox.

Stick with the Basic version and not the trial.

Some people object to the voice notification of updates. To turn it off, click on the Avast ball then on Settings then on Appearance. Then on Sounds and uncheck Automatic Updates OK. (It will still update it just won't tell you about in a loud voice in the middle of the night.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Appearance, Popups and change the first two to 1 second. Their Browser Cleanup is not so user friendly since it wants to reset your home page and search engine to Yahoo so I go into Settings, Tools, and turn it off.

If you haven't registered already then right click on the orange ball and select Registration Information and click on the link. (They just want you name and email address). The registration is good for 12-14 months then you will need to register again. They will, of course, try to talk you into buying the product but you can always register again for another year free tho it may not be the default.

Once it installs and updates and after the final reboot we want to tell it to run a boot-time scan and let it run while you sleep. This is one of its best features. It loads before most viruses so has a better chance of catching a virus. Takes around 6 hours so best to let it work while you sleep.

How to do a boot-time scan while you sleep:

First mute the speakers so it won't wake you up when Windows loads. Click on the Orange ball. Click on Scan, then Scan for Viruses and wait a couple of minutes for the page to change. Change Quickscan to Boot-time Scan. Click on Settings. Where it says Heuristic Sensitivity click on the last rectangle so that all of them are orange and it says High. Check both boxes. Then change When a threat is found ... to: Move to Chest. OK. Now click on Start. Close the Avast window and then reboot. The scan will start. It will tell you where it will save the report. Usually it's

C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location. When Windows loads Click on the Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report. If it found anything then open the aswBoot.txt file and copy and paste it. If you can't find it then take a screen shot of the Detailed Report: